From efe0045c5f7a7fa12ded564a4e7ee49df38cf152 Mon Sep 17 00:00:00 2001
From: Peca <peca@mycity.rs>
Date: Thu, 7 Aug 2025 19:03:30 +0200
Subject: [PATCH] Introduction of v-fix-website-permissions-only-php script

---
 bin/v-fix-website-permissions                 |   6 +-
 ...site-permissions-for-all-websites-only-php |  44 +++++++
 bin/v-fix-website-permissions-only-php        | 121 ++++++++++++++++++
 install/vst-install-debian.sh                 |   2 +-
 src/deb/vesta/postinst                        |  19 ++-
 5 files changed, 184 insertions(+), 8 deletions(-)
 create mode 100644 bin/v-fix-website-permissions-for-all-websites-only-php
 create mode 100644 bin/v-fix-website-permissions-only-php

diff --git a/bin/v-fix-website-permissions b/bin/v-fix-website-permissions
index fca37e15..50b143c8 100644
--- a/bin/v-fix-website-permissions
+++ b/bin/v-fix-website-permissions
@@ -1,6 +1,6 @@
 #!/bin/bash
-# info: Fixing chown and chmod permissions in the public_html directory
-# options: DOMAIN 
+# info: Fixing chown and chmod permissions for a website
+# options: DOMAIN [USER]
 
 #----------------------------------------------------------#
 #                    Variable&Function                     #
@@ -68,7 +68,7 @@ if [ -z "$SKIP_OWNERSHIP_CHECK" ] && [ -f "public_html/index.php" ]; then
     fi
 fi
 
-echo "Updating permissions for /home/$USER/web/$domain/"
+echo "Updating permissions and ownership for /home/$USER/web/$domain/"
 
 php_chmod_allowed=1
 if [ -f "/home/php_chmod_disabled" ]; then
diff --git a/bin/v-fix-website-permissions-for-all-websites-only-php b/bin/v-fix-website-permissions-for-all-websites-only-php
new file mode 100644
index 00000000..a89d2416
--- /dev/null
+++ b/bin/v-fix-website-permissions-for-all-websites-only-php
@@ -0,0 +1,44 @@
+#!/bin/bash
+# info: fix website permissions for all websites
+# options:
+#
+# The command is used for fixing website permissions for all websites on the server.
+
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+# Importing system variables
+source /etc/profile
+
+# Includes
+source $VESTA/func/main.sh
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+touch /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log
+truncate -s 0 /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log
+
+for user in $(grep '@' /etc/passwd |cut -f1 -d:); do
+    if [ ! -f "/usr/local/vesta/data/users/$user/user.conf" ]; then
+        continue;
+    fi
+
+    for domain in $(/usr/local/vesta/bin/v-list-web-domains $user plain |cut -f 1); do
+        /usr/local/vesta/bin/v-fix-website-permissions-only-php $domain $user >> /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log 2>&1
+        echo "--------------------------------" >> /usr/local/vesta/log/fix-website-permissions-for-all-websites-only-php.log
+    done
+
+done
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+
+# Logging
+log_event "$OK" "$ARGUMENTS"
+
+exit
diff --git a/bin/v-fix-website-permissions-only-php b/bin/v-fix-website-permissions-only-php
new file mode 100644
index 00000000..cf548e6b
--- /dev/null
+++ b/bin/v-fix-website-permissions-only-php
@@ -0,0 +1,121 @@
+#!/bin/bash
+# info: Fixing PHP and .env permissions and ownership for a website
+# options: DOMAIN [USER]
+
+#----------------------------------------------------------#
+#                    Variable&Function                     #
+#----------------------------------------------------------#
+
+whoami=$(whoami)
+if [ "$whoami" != "root" ]; then
+    echo "You must be root to execute this script"
+    exit 1
+fi
+
+# Importing system environment
+source /etc/profile
+
+# Argument definition
+domain=$1
+
+# Check if number of arguments is 2
+if [ $# -eq 2 ]; then
+    user=$2
+else
+    user=$(/usr/local/vesta/bin/v-search-domain-owner $domain)
+fi
+USER=$user
+
+# Includes
+source /usr/local/vesta/func/main.sh
+source /usr/local/vesta/conf/vesta.conf
+
+if [ -z "$user" ]; then
+    check_result $E_NOTEXIST "domain $domain doesn't exist"
+fi
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'DOMAIN'
+is_format_valid 'domain'
+is_object_valid 'user' 'USER' "$user"
+
+if [ ! -d "/home/$user" ]; then
+    echo "Error: Folder /home/$user doesn't exist";
+    exit 1;
+fi
+
+if [ ! -d "/home/$user/web/$domain/public_html" ]; then
+    echo "Error: Folder /home/$user/web/$domain/public_html doesn't exist";
+    exit 1;
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Going to domain directory
+cd /home/$USER/web/$domain
+
+# Ownership check
+if [ -z "$SKIP_OWNERSHIP_CHECK" ] && [ -f "public_html/index.php" ]; then
+    owner=$(stat -c '%U' "public_html/index.php")
+    if [ "$owner" = "root" ] || [ "$owner" = "www-data" ]; then
+        echo "Skipping permission fix for $domain, because v-lock-wordpress is used (index.php is owned by $owner)"
+        exit 1
+    fi
+fi
+
+echo "Updating PHP and .env permissions and ownership for /home/$USER/web/$domain/"
+
+php_chmod_allowed=1
+if [ -f "/home/php_chmod_disabled" ]; then
+    php_chmod_allowed=0
+fi
+if [ -f "/home/$USER/php_chmod_disabled" ]; then
+    php_chmod_allowed=0
+fi
+if [ -f "/home/$USER/web/php_chmod_disabled" ]; then
+    php_chmod_allowed=0
+fi
+if [ -f "/home/$USER/web/$domain/php_chmod_disabled" ]; then
+    php_chmod_allowed=0
+fi
+
+# === PHP and .env permissions ===
+if [ "$php_chmod_allowed" -eq 1 ]; then
+    php_chmod="600"
+
+    if [ "$WEB_SYSTEM" = 'nginx' ]; then
+        php_chmod="644"
+    fi
+
+    if [ -f "/home/php_chmod" ]; then
+        php_chmod=$(cat /home/php_chmod)
+    fi
+    if [ -f "/home/$USER/php_chmod" ]; then
+        php_chmod=$(cat /home/$USER/php_chmod)
+    fi
+    if [ -f "/home/$USER/web/php_chmod" ]; then
+        php_chmod=$(cat /home/$USER/web/php_chmod)
+    fi
+    if [ -f "/home/$USER/web/$domain/php_chmod" ]; then
+        php_chmod=$(cat /home/$USER/web/$domain/php_chmod)
+    fi
+
+    # Setting chmod 600 for all .php and .env files
+    echo "= Setting chmod $php_chmod for all .php and .env files"
+    # Fixing permissions
+    find -type f \( -name "*.php" -o -name "*.env" \) ! -perm $php_chmod -exec chmod $php_chmod {} +
+    # Fixing ownership
+    find -type f \( -name "*.php" -o -name "*.env" \) ! -user $USER -exec chown $USER:$USER {} +
+fi
+
+#----------------------------------------------------------#
+#                       Vesta                              #
+#----------------------------------------------------------#
+echo "PHP and .env permissions and ownership for $domain have been successfully updated."
+
+exit 0
diff --git a/install/vst-install-debian.sh b/install/vst-install-debian.sh
index 9517e4ef..1c8f2e1b 100755
--- a/install/vst-install-debian.sh
+++ b/install/vst-install-debian.sh
@@ -1894,7 +1894,7 @@ command="sudo $VESTA/bin/v-update-user-stats"
 $VESTA/bin/v-add-cron-job 'admin' '20' '00' '*' '*' '*' "$command"
 command="sudo $VESTA/bin/v-update-sys-rrd"
 $VESTA/bin/v-add-cron-job 'admin' '*/5' '*' '*' '*' '*' "$command"
-command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites > /dev/null 2>&1"
+command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites-only-php"
 $VESTA/bin/v-add-cron-job 'admin' '05' '03' '*' '*' '*' "$command"
 systemctl restart cron.service
 
diff --git a/src/deb/vesta/postinst b/src/deb/vesta/postinst
index d8a22ee1..f5f79877 100755
--- a/src/deb/vesta/postinst
+++ b/src/deb/vesta/postinst
@@ -27,10 +27,21 @@ VESTA="/usr/local/vesta"
 echo "1" > /usr/local/vesta/data/upgrades/show_changelog
 chmod a=rw /usr/local/vesta/data/upgrades/show_changelog
 
-# Fixing permissions for all websites
-if ! grep -q "fix-website-permissions-for-all-websites" /usr/local/vesta/data/users/admin/cron.conf; then
-    echo "== Fixing permissions for all websites"
-    command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites > /dev/null 2>&1"
+if grep -q "fix-website-permissions-for-all-websites" /usr/local/vesta/data/users/admin/cron.conf; then
+    if ! grep -q "fix-website-permissions-for-all-websites-only-php" /usr/local/vesta/data/users/admin/cron.conf; then
+        echo "== Renaming fix-website-permissions-for-all-websites to fix-website-permissions-for-all-websites-only-php"
+        sed -i 's|v-fix-website-permissions-for-all-websites > /dev/null 2>&1|v-fix-website-permissions-for-all-websites-only-php|' /usr/local/vesta/data/users/admin/cron.conf
+        sed -i 's|v-fix-website-permissions-for-all-websites > /dev/null 2>&1|v-fix-website-permissions-for-all-websites-only-php|' /var/spool/cron/crontabs/admin
+        sed -i 's|v-fix-website-permissions-for-all-websites |v-fix-website-permissions-for-all-websites-only-php |' /usr/local/vesta/data/users/admin/cron.conf
+        sed -i 's|v-fix-website-permissions-for-all-websites |v-fix-website-permissions-for-all-websites-only-php |' /var/spool/cron/crontabs/admin
+        systemctl restart cron.service
+    fi
+fi
+
+# Fixing PHP and .env permissions and ownership for all websites
+if ! grep -q "fix-website-permissions-for-all-websites-only-php" /usr/local/vesta/data/users/admin/cron.conf; then
+    echo "== Fixing PHP and .env permissions and ownership for all websites"
+    command="sudo $VESTA/bin/v-fix-website-permissions-for-all-websites-only-php"
     $VESTA/bin/v-add-cron-job 'admin' '05' '03' '*' '*' '*' "$command"
     systemctl restart cron.service
 fi